From 6d1b3b28c3ede3c7559d5da5cd266b8233b228c5 Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Sat, 24 Sep 2022 00:11:15 +0200 Subject: [PATCH] docs(ansible): Entity only needs a userpass alias, no token alias (#1) --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5df826c..73e4217 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,9 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va * Optionally [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible. - You'll want to create an Ansible entity create both a `token` and a `userpass` alias. Lastly within the `userpass` auth method create a user of the same name used for both the entity and its aliases and use that user to authenticate against Vault. Retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl). + You'll want to create an Ansible entity and a `userpass` alias. Think of the alias as glue that ties an auth method to an entity. This in turn allows you to specify policy that applies to the entity, gets inherited by aliases and lastly inherited by auth methods. + + In this simple use case create create a user in the `userpass` auth method, use the same name used from both the entity and its alias. Use that user to authenticate against Vault and retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/role-cfgmgmt.hcl](policies/role-cfgmgmt/role-cfgmgmt.hcl). From here on out it's just more of what you already did, feel free to make this fit your own approach.